We are looking into building a WDC to facilitate opening up access to our API and I would like to understand how the whole process handles the API authentication?

When navigating to the WDC (interactive phase), our WDC should prompt the user for his/her API credentials (as the API uses basic auth), which should then be used to add the basic auth header to all subsequent API requests issued to the API by the WDC, but this authentication data also needs to be saved somewhere so that refreshes can occur, but where?

When you publish the WDC data source to a tableau server, you have the option to allow refreshes and it then shows you the username the refresh was created under but can anyone tell me where this data is stored and how it is stored, i.e. is it encrypted throughout the whole WDC journey to server?